Skip to main content
All CollectionsRemediations
SSL RC4 Cipher Suites Supported (Bar Mitzvah) (Windows) Vulnerability
SSL RC4 Cipher Suites Supported (Bar Mitzvah) (Windows) Vulnerability
Alan Butcher avatar
Written by Alan Butcher
Updated over a week ago

The SSL RC4 Cipher Suites Supported (Bar Mitzvah) vulnerability when detected with a vulnerability scanner will report it as a CVSSv3 5.9.

CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:

The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness.

If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of millions) ciphertexts, the attacker may be able to derive the plaintext

Block cyphers are a type of symmetric algorithm that encrypts plaintext in blocks, as the name implies, rather than bit-by-bit. One of the characteristics of such cyphers is the block length; which determines the size of the chunks into which the plaintext is split and then encrypted. Importantly, the block length of the cypher is independent of the length of the key. So even if you choose a large key size for your encryption, the block length of the cypher can impose its own limitations, and in this case, vulnerabilities.

To help protect against this vulnerability, you need to disable some older cyphers in the registry, this can be done as follows:

To disable RC4 on your Windows server, set the following registry keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
“Enabled”=dword:00000000

Note: A restart will be required after making these changes.

Did this answer your question?